AES-GCM Functions

The Galois/Counter Mode (GCM) is a mode of operation of the AES algorithm. GCM [NIST SP 800-38D] uses a variation of the Counter mode of operation for encryption. GCM assures authenticity of the confidential data (of up to about 64 GB per invocation) using a universal hash function defined over a binary finite field (the Galois field).

GCM can also provide authentication assurance for additional data (of practically unlimited length per invocation) that is not encrypted. If the GCM input contains only data that is not to be encrypted, the resulting specialization of GCM, called GMAC, is simply an authentication mode for the input data.

GCM provides stronger authentication assurance than a (non-cryptographic) checksum or error detecting code. In particular, GCM can detect both accidental modifications of the data and intentional, unauthorized modifications.

The AES-GCM function set includes incremental functions, which enable authenticated encryption/decryption of several messages using one key. The application code for conducting a typical AES-GCM authenticated encryption should follow the sequence of operations as outlined below:

1. Get the size required to configure the context IppsAES_GCMState by calling the function AES_GCMGetSize.
2. Call the system memory-allocation service function to allocate a buffer whose size is not less than the function AES_GCMGetSize specifies.
3. Initialize the context IppsAES_GCMState*pCtx by calling the function AES_GCMInit with the allocated buffer and the respective AES key.
4. Call AES_GCMStart to start authenticated encryption of the first/next message.
5. Keep calling AES_GCMEncrypt until the entire message is processed.
6. Request the authentication tag by calling AES_GCMGetTag.
7. Proceed to the next message, if any, that is, go to step 4.
8. Clean up secret data stored in the context.
9. Call the system memory free service function to release the buffer allocated for the context IppsAES_GCMState, if needed.

If the size of the initial vector and/or additional authenticated data (IV and AAD parameters of the AES_GCMStart function, respectively) is large or any of these parameters is placed in a disconnected memory buffer, replace step 4 above with the following sequence:

1. Call AES_GCMReset to prepare the IppsAES_GCMState context for authenticated encryption of the first/new message.

2. Keep calling AES_GCMProcessIV for successive parts of IV until the entire IV is processed.

3. Keep calling AES_GCMProcessAAD for successive parts of AAD until the entire AAD is processed.